X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=TODO;h=ef25ef578e667e7ad72c2ec39d6dec6e7eddf3fa;hp=10a20758bab4df800d751fe1e3da06fb656a1c52;hb=c2c096d2926572113cba380fde34b119661d45f8;hpb=660f3fe8fb9cea5399e1421ed51bb6e4d49cc46c diff --git a/TODO b/TODO index 10a20758b..ef25ef578 100644 --- a/TODO +++ b/TODO @@ -33,14 +33,78 @@ Janitorial Clean-ups: Features: +* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files + +* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc + +* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) + +* ProtectDevices= should also take iopl/ioperm/pciaccess away + +* ProtectKeyRing= to take keyring calls away + +* PrivateUsers= which maps the all user ids except root and the one specified + in User= to nobody + +* Add AllocateUser= for allowing dynamic user ids per-service + +* Add DataDirectory=, CacheDirectory= and LogDirectory= to match + RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user. + +* Add BindDirectory= for allowing arbitrary, private bind mounts for services + +* Beef up RootDirectory= to use namespacing/bind mounts as soon as fs + namespaces are enabled by the service + +* Add RootImage= for mounting a disk image or file as root directory + +* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone) + +* nspawn: make /proc/sys/net writable? + +* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things + +* journalctl: make sure -f ends when the container indicated by -M terminates + +* expose the "privileged" flag of ExecCommand on the bus, and open it up to + transient units + +* allow attaching additional journald log fields to cgroups + +* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the + kernel doesn't support linkat() that replaces existing files, currently) + +* check if DeviceAllow= should split first, resolve specifiers later + +* transient units: don't bother with actually setting unit properties, we + reload the unit file anyway + +* journald: sigbus API via a signal-handler safe function that people may call + from the SIGBUS handler + +* when using UTF8, ellipsize with "…" rather than "...", so that we can show more contents before truncating + +* move specifier expansion from service_spawn() into load-fragment.c + +* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown + +* resolved: when routing queries, make sure only look for the *longest* suffix... + +* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it + in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle + +* cache sd_event_now() result from before the first iteration... + +* add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction + +* Maybe add a way how users can "pin" units into memory, so that they are not subject to automatic GC? + * PID1: find a way how we can reload unit file configuration for specific units only, without reloading the whole of systemd -* add an explicit parser for LimitNICE= and LimitRTPRIO= that verifies +* add an explicit parser for LimitRTPRIO= that verifies the specified range and generates sane error messages for incorrect - specifications. Also, for LimitNICE= maybe introduce a syntax such - as "+5" or "-7" in order to make the limits more readable as they - are otherwise shifted by 20. + specifications. * do something about "/control" subcgroups in the unified cgroup hierarchy @@ -48,18 +112,10 @@ Features: * push CPUAffinity= also into the "cpuset" cgroup controller (only after the cpuset controller got ported to the unified hierarchy) -* add a new command "systemctl revert" or so, that removes all dropin - snippets in /run and /etc, and all unit files with counterparts in - /usr, and thus undoes what "systemctl set-property" and "systemctl - edit" create. Maybe even add "systemctl revert -a" to do this for - all units. - * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) * consider throwing a warning if a service declares it wants to be "Before=" a .device unit. -* "systemctl edit" should know a mode to create a new unit file - * there's probably something wrong with having user mounts below /sys, as we have for debugfs. for exmaple, src/core/mount.c handles mounts prefixed with /sys generally special. @@ -67,21 +123,12 @@ Features: * man: document that unless you use StandardError=null the shell >/dev/stderr won't work in shell scripts in services -* "systemctl daemon-reload" should result in /etc/systemd/system.conf being reloaded by systemd - -* install: include generator dirs in unit file search paths - -* invent a better systemd-run scheme for naming scopes, that works with remoting - -* rework C11 utf8.[ch] to use char32_t instead of uint32_t when referring - to unicode chars, to make things more expressive. - * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date * mounting and unmounting mount points manually with different source - devices will result in collected collected on all devices used. + devices will result in collected on all devices used. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030225.html * add a job mode that will fail if a transaction would mean stopping @@ -103,9 +150,10 @@ Features: * Rework systemctl's GetAll property parsing to use the generic bus_map_all_properties() API -* core/cgroup: support net_cls modules, and support automatically allocating class ids, then add support for making firewall changes depending on it, to implement a per-service firewall +* implement a per-service firewall based on net_cls -* Port various tools to make use of verbs.[ch], where applicable +* Port various tools to make use of verbs.[ch], where applicable: busctl, + bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl * hostnamectl: show root image uuid @@ -125,8 +173,6 @@ Features: * as soon as we have kdbus, and sender timestamps, revisit coalescing multiple parallel daemon reloads: http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html -* the install state probably shouldn't get confused by generated units, think dbus1/kdbus compat! - * in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column * figure out when we can use the coarse timers @@ -138,8 +184,6 @@ Features: * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists -* add infrastructure to allocate dynamic/transient users and UID ranges, for use in user-namespaced containers, per-seat gdm login screens and gdm guest sessions - * maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment= * introduce systemd-timesync-wait.service or so to sync on an NTP fix? @@ -155,20 +199,16 @@ Features: * maybe provide an API to allow migration of foreign PIDs into existing scopes. -* maybe support a new very "soft" reboot mode, that simply kills all processes, disassembles everything, flushes /run and sysvipc, and then reexecs systemd again - * man: maybe use the word "inspect" rather than "introspect"? * systemctl: if some operation fails, show log output? -* systemctl edit: -- allow creation of units from scratch -- use equvalent of cat() to insert existing config as a comment, prepended with #. +* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #. Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc. -* exponential backoff in timesyncd and resolved when we cannot reach a server +* exponential backoff in timesyncd when we cannot reach a server -* timesyncd + resolved: add ugly bus calls to set NTP and DNS servers per-interface, for usage by NM +* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM * extract_many_words() should probably be used by a lot of code that currently uses FOREACH_WORD and friends. For example, most conf @@ -183,23 +223,16 @@ Features: (throughout the codebase, not only PID1) * resolved: - - put networkd events and rtnl events at a higher priority, so that - we always process them before we process client requests - - DNSSEC - - add display of private key types (http://tools.ietf.org/html/rfc4034#appendix-A.1.1)? - - DNS - - search paths - mDNS/DNS-SD + - service registration + - service/domain/types browsing - avahi compat - DNS-SD service registration from socket units - - edns0 - - dname: Not necessary for plain DNS as synthesized cname is handed out instead if we do not - announce dname support. However, for DNSSEC it is necessary as the synthesized cname - will not be signed. - - cname on PTR (?) - resolved should optionally register additional per-interface LLMNR names, so that for the container case we can establish the same name (maybe "host") for referencing the server, everywhere. + - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - hook up resolved with machined-based address resolution * refcounting in sd-resolve is borked @@ -213,8 +246,6 @@ Features: * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. -* timer units: actually add extra delays to timer units with high AccuracySec values, don't start them already when we are awake... - * a way for container managers to turn off getty starting via $container_headless= or so... * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit @@ -237,7 +268,7 @@ Features: CAP_NET_ADMIN is set, more than the loopback device is defined, even when it is otherwise off -* MessageQueueMessageSize= and RLimitFSIZE= (and suchlike) should use parse_iec_size(). +* MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). * "busctl status" works only as root on dbus1, since we cannot read /proc/$PID/exe @@ -252,7 +283,7 @@ Features: and passes this back to PID1 via SCM_RIGHTS. This also could be used to allow Chown/chgrp on sockets without requiring NSS in PID 1. -* New service property: maximum CPU and wallclock runtime for a service +* New service property: maximum CPU runtime for a service * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls @@ -282,8 +313,6 @@ Features: * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 -* unify dispatch table in systemctl_main() and friends - * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs @@ -325,10 +354,6 @@ Features: - path escaping - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now - test bloom filter generation indexes - - bus-proxy: when passing messages from kdbus, make sure we properly - handle the case where a large number of fds is appended that we - cannot pass into sendmsg() of the AF_UNIX sokcet (which only accepts - 253 messages) - kdbus: introduce a concept of "send-only" connections - kdbus: add counter for refused unicast messages that is passed out via the RECV ioctl. SImilar to the counter for dropped multicast messages we already have. @@ -339,10 +364,6 @@ Features: - generate a failure of a default event loop is executed out-of-thread - maybe add support for inotify events -* in the final killing spree, detect processes from the root directory, and - complain loudly if they have argv[0][0] == '@' set. - https://bugzilla.redhat.com/show_bug.cgi?id=961044 - * investigate endianness issues of UUID vs. GUID * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we @@ -382,7 +403,7 @@ Features: * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() -* remove any syslog support from log.c -- we probably cannot do this before split-off udev is gone for good +* remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good * shutdown logging: store to EFI var, and store to USB stick? @@ -491,10 +512,6 @@ Features: - journal-or-kmsg is currently broken? See reverted commit 4a01181e460686d8b4a543b1dfa7f77c9e3c5ab8. - man: document that corrupted journal files is nothing to act on - - systemd-journal-upload (or a new, related tool): allow pushing out - journal messages onto the network in BSD syslog protocol, - continuously. Default to some link-local IP mcast group, to make this - useful as a one-stop debugging tool. - rework journald sigbus stuff to use mutex - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our services that run under their own user ids, and use User= (but only @@ -506,8 +523,6 @@ Features: written to as FAIL, but instead show that their are being written to. - add journalctl -H that talks via ssh to a remote peer and passes through binary logs data - - change journalctl -M to acquire fd to journal directory via machined, and - then operate on that via openat() instead of absolute paths - add a version of --merge which also merges /var/log/journal/remote - log accumulated resource usage after each service invocation - journalctl: -m should access container journals directly by enumerating @@ -541,19 +556,17 @@ Features: - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? - systemctl: "Journal has been rotated since unit was started." message is misleading - better error message if you run systemctl without systemd running - - systemctl status output should should include list of triggering units and their status + - systemctl status output should include list of triggering units and their status * unit install: - "systemctl mask" should find all names by which a unit is accessible (i.e. by scanning for symlinks to it) and link them all to /dev/null - - systemctl list-unit-files should list generated files (and probably with a new state "generated" for them, or so) * timer units: - timer units should get the ability to trigger when: o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET) o DST changes - Support 2012-02~4 as syntax for specifying the fourth to last day of the month. - - calendarspec: support value ranges with ".." notation. Example: 2013-4..8-1 - Modulate timer frequency based on battery state * add libsystemd-password or so to query passwords during boot using the password agent logic @@ -573,8 +586,6 @@ Features: - to allow "linking" of nspawn containers, extend --network-bridge= so that it can dynamically create bridge interfaces that are refcounted by the containers on them. For each group of containers to link together - - refuses to boot containers without /etc/machine-id (OK?), and with empty - /etc/machine-id (not OK). - nspawn -x should support ephemeral instances of gpt images - emulate /dev/kmsg using CUSE and turn off the syslog syscall with seccomp. That should provide us with a useful log buffer that @@ -595,8 +606,6 @@ Features: - should send out sd_notify("WATCHDOG=1") messages - optionally automatically add FORWARD rules to iptables whenever nspawn is running, remove them when shut down. - - add a logic for cleaning up read-only, hidden container images in - /var/lib/machines that are not ancestors of any non-hidden containers - Improve error message when --bind= is used on a non-existing source directory - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only @@ -609,8 +618,6 @@ Features: removed or added to an existing machine - "machinectl migrate" or similar to copy a container from or to a difference host, via ssh - - man: document how update dkr images works with machinectl - http://lists.freedesktop.org/archives/systemd-devel/2015-February/028630.html - introduce systemd-nspawn-ephemeral@.service, and hook it into "machinectl start" with a new --ephemeral switch - "machinectl status" should also show internal logs of the container in @@ -623,8 +630,6 @@ Features: shell in it, and marks it read-only after use * importd: - - dkr: support tarsum checksum verification, if it becomes reality one day... - - dkr: convert json bits to nspawn configuration - generate a nice warning if mkfs.btrfs is missing * cryptsetup: @@ -644,8 +649,6 @@ Features: * initialize the hostname from the fs label of /, if /etc/hostname does not exist? -* rename "userspace" to "core-os" - * udev: - move to LGPL - kill scsi_id @@ -661,10 +664,6 @@ Features: * coredump: - save coredump in Windows/Mozilla minidump format - move PID 1 segfaults to /var/lib/systemd/coredump? - - make the handler check /proc/$PID/rlimits for RLIMIT_CORE, - and supress coredump if turned off. Then change RLIMIT_CORE to - infinity by default for all services. This then allows per-service - control of coredumping. * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) @@ -736,7 +735,6 @@ Features: - Support --test based on current system state - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). - after deserializing sockets in socket.c we should reapply sockopts and things - - make timer units go away after they elapsed - drop PID 1 reloading, only do reexecing (difficult: Reload() currently is properly synchronous, Reexec() is weird, because we cannot delay the response properly until we are back, so instead of @@ -765,17 +763,6 @@ Features: - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely - consider adding RuntimeDirectoryUser= + RuntimeDirectoryGroup= -* systemd-python: - - figure out a simple way to wait for journal events in a way that - works with ^C - - add documentation to systemd.daemon - -* bootchart: - - plot per-process IO utilization - - group processes based on service association (cgroups) - - document initcall_debug - - kernel cmdline "bootchart" option for simplicity? - * udev-link-config: - Make sure ID_PATH is always exported and complete for network devices where possible, so we can safely rely @@ -797,7 +784,6 @@ Features: - work with non-Ethernet devices - add support for more bond options - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? - - add LLDP client side support - the DHCP lease data (such as NTP/DNS) is still made available when a carrier is lost on a link. It should be removed instantly. - expose in the API the following bits: